Date: Sun, 27 Nov 2005 19:56:09 +0100 From: "Alexandre DELAY" <alexandre.delay@free.fr> To: "Chuck Swiger" <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: Protocol filter capabilities Message-ID: <MAEBLPAGHGPMOKCBICBNOEONCIAA.alexandre.delay@free.fr> In-Reply-To: <4389FF8D.6050806@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I agree with you, but my aim is not to block traffic between my internal network and the Internet. I only want to filter (not block) certain protocols. I found a nice tool for this: http://freebsd.rogness.net/snort_inline/ -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chuck Swiger Envoye : dimanche 27 novembre 2005 19:49 A : Alexandre DELAY Cc : freebsd-ipfw@freebsd.org Objet : Re: Protocol filter capabilities Alexandre DELAY wrote: [ ...top-posting reformatted... ] >>> Don't you think that it would be a nice thing to be able to include such >>> "filters" from, for example, ethereal? Ethereal support more than 34k >>> different protocols. It woul be nice to be able to choose from those >>> filters and to apply some rules according to those filters. >> >> You're talking about a reactive IDS. You can rig them up using scripts >> which monitor logfiles, or something like /usr/ports/security/snort. >> >> However, I prefer to use IDS for traffic I permit but want to monitor, not >> traffic I already know I want to block. > > Snort doesn't answer to such needs. > It is not able to analyze application protocols such as BEEP or Edonkey. > See: http://www.snort.org/docs/writing_rules/ > > filter application protocol based on ip/ports is not efficient. Some > application are able to work on almost any port. Snort is a tool. It can be used to build an IDS and is well-suited for that task, but it is not intended to entirely replace a firewall. It is true that P2P application protocols are very adaptive and are able to work via almost any port. However, they do not work through a properly configured proxy using a "deny all" firewall in what is called a DMZ or screened subnet firewall architecture. If your network is set up for this correctly, internal machines on the LAN will never be allowed to make external requests, at all (period); clients may even run without a default route set and without the firewall having NAT enabled. -- -Chuck _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MAEBLPAGHGPMOKCBICBNOEONCIAA.alexandre.delay>